Disposal of former police stations

Caroline Pidgeon: Please provide an update on the current ownership status of all police stations London that were disposed of between 2012 and 2016.

The Mayor: Once sold or disposed of the MPS and MOPAC do not routinely track the subsequent ownership of properties. Current ownership details of all police stations disposed of during the period referred to is publicly available from the Land Registry. Sites disposed of are listed at https://www.london.gov.uk/what-we-do/mayors-office-policing-and-crime-mopac/governance-and-decision-making/finance-and-audit

Breach of Oyster data (1)

Caroline Pidgeon: Following the reports in early August 2019 that Oyster online accounts had been hacked please set out what is TfL’s estimate of the total number of TfL customers who were affected?

The Mayor: 1,821 of approximately 6.5 million Oyster online accounts were accessed maliciously as a result of the security incident identified last month. There was no fault in or breach of Transport for London’s (TfL’s) security systems. Access to the accounts arose from customers using the same credentials (username and password) for multiple sites, with the correct username and password being used to access the accounts. I understand that it is most likely that these customers used the same credentials for another online account elsewhere which may have already been compromised. The Information Commissioner was informed and has advised that no action will be taken regarding this incident.

Breach of Oyster data (2)

Caroline Pidgeon: Please set out what measures TfL has taken to contact customers who might have had their Oyster online accounts hacked. Please also set out what measures are in place to reduce the risk of further hacking of Oyster accounts.

The Mayor: Transport for London (TfL) locked all the Oyster online accounts which were accessed maliciously when this incident came to light on 7th August 2019. As the incident arose from customers using the same login credentials (username and password) for another online account which most likely had already been compromised, all affected customers were emailed, advising them to change their password. Of the 1,821 accounts affected, 241 Oyster cards were cancelled and have since been replaced.
Additional security measures have been put in place to protect customer data. This includes installing ‘Recaptcha’ to validate that the account is being accessed by a human being. Other confidential measures have also been put in place.
TfL has been supporting the National Cyber Security Agency and British Transport Police in undertaking a criminal investigation regarding this incident.